Trump team challenge: Hardening critical infrastructure against SCADA-targeted Attacks

By Stephen Bryen

Defaced Bronze Soldier of Tallinn

Cyber warfare is rapidly becoming part of the modern military and political arsenal of many nations including the United States. Incoming U.S. President Donald Trump wants to stop cyber attacks.  He is bringing in top corporate experts as advisers and as asked former New York mayor Rudolph Giuliani to act as his eye and ears.

There are many kinds of cyber attacks and perpetrators with various complex political, economic and military goals.  But the most dangerous. attacks are those that would impact the balance of power by damaging a state’s critical infrastructure.

The U.S. passed its first Computer Security Act in 1987 to address the vulnerability of the critical infrastructure – which includes government and military functions, defense industry, transportation, energy (power plants, oil refineries, transmission systems etc.), emergency and medical services, water and food supply systems and banking and finance.  Since that time, however, all of them have been attacked and the U.S. has sustained substantial damage. Vital national security information has been compromised and defense secrets lost. American banking and credit institutions have successfully been attacked.  Fears for the future include paralyzing America’s command and control systems, taking control of its nuclear assets and isolating and shutting down crucial decision-making centers and related communication networks.

Hardening the infrastructure and creating a “U.S. only” system – not purchasing foreign, mainly Chinese, systems and eliminating weak controllers that can be compromised would be good first steps.

The U.S. does not lack cyber weapons or the will to use them.  Plenty of America’s capacity for cyber warfare has been exposed by Edward Snowden, who had unprecedented access to some of the National Security Agency’s (NSA) deepest secrets.  Much of what Snowden recorded has now been published, exposing how a major part of the U.S. intelligence systems sucks up information and employs malicious tools against possible adversaries.

The most famous of all is the U.S.-Israeli tool called Stuxnet.  Stuxnet is, so far as is known, the most sophisticated single tool was used against Iran’s centrifuge program enriching uranium for a potential nuclear weapon.  Stuxnet was based on excellent intelligence on Iran’s centrifuge system and the computer, SCADA controllers and frequency converters that ran them.

Stuxnet was able to take over Iran’s German-origin Siemens controllers, spinning many of the centrifuges at high speed and ruining them.

SCADA systems are used to manage operations at oil refineries, nuclear and conventional power plants, manufacturing systems and in classified control systems including themanufacture of nuclear weapons, as was the case in Iran.

The U.S. is not the only country to carry out an attack on the critical infrastructure or to focus an attack on SCADA-operated systems.  China and Russia also have done it, with China aiming most heavily at Taiwan (its practice target) and against the U.S. critical infrastructure.  There have been other attacks on power plants world-wide.  Notably, according to South Korea’s investigators, the Korea Hydro and Nuclear Power Company was hit by a cyber attack between December 9 -12, 2014.  In the attack, some 5,986 “phishing” emails were sent to 3,571 employees of the  power company.  Data abourt the plant and strategic diagrams were taken by the North Koreas.  However, it does not appear that the operation of the nuclear plant was directly attacked although North Korea would have got hold of information on the SCADA systems and other software controlling the plant.  And, as the phishing emails reveal, this was not an amateur operation in the sense that the full employee list plus email addresses was in the hands of the perpetrators.  Clearly, the level of security at Korea Hydro and Nuclear was very poor.  The implications of a successful attack on a nuclear plant, sending it out of control, could cause an incident as serious as Chernobyl.

Russia, on the other hand, despite the most recent allegations of an attack on a Vermont-based power plant (now proven false) has focused on nearby neighbors including Estonia, Poland, Georgia, and Ukraine.  They began in 2007 when the Estonians removed a war memorial and associated graves known as the Bronze Soldier of Tallinn – a salute to the Red Army soldiers who liberated Estonia from the Nazis. In response, the Russians demanded autonomy for the local Estonian Russian-speaking population and launched cyber attacks against sensitive banking and financial institutions, newspapers and supposedly secret telecommunications nodes which were part of Estonia’s national security apparatus.

By far the most sophisticated Russian attack was just before Christmas in 2015 against Ukrainian power stations and substations belonging to Prykarpattyaoblenergo servicing the Ivano-Frankivsk Oblast area in northwest Ukraine.  (A related attack but not as severe took place one year later.)  Analysts agree that the perpetrator was a Russian-origin group known as Sandworm, a name taken from a 1984 American epic science fiction film. Sandworm’s mission is mainly to focus on the Ukraine and “outside” political and military actors supporting Ukraine (including NATO leaders, European politiciansand organizations etc.).  Sandworm distributed malware embedded in a PowerPoint presentation to NATO and specializes in attacking SCADA controllers, especially those manufactured by GE, Siemens, and Broadview Networks.

Its attack on the Ukrainian power station is regarded as perhaps the most sophisticated ever launched against a power station. The Ukrainian plant’s control systems and security were top notch. Nonetheless, using malware called the BlackEnergy Trojan the Sandworm hackers began to execute a series of moves based on six months of elaborate reconnaissance that paid off when they attacked.  A key feature of the attack is that the power plant’s staff was locked out of the computers by which it controls operations.  Being locked out, the staff was unable to take steps to mitigate the attack.  A similar attack on a nuclear power plant could do more than just shut down power output: it could cause the reactor to go out of control.

The lessons are clear.  An adversary today, whether a state actor, a criminal conspiracy or a terrorist organization, can attack any critical infrastructure in the U.S. or abroad.  In addition, it is likely that many already have carried out the necessary reconnaissance, set up the attack plans, and tested out the likelihood of success in anticipation of a full-blown attack. Finally,it is clear that even a critical infrastructure with current-day protection probably cannot survive a sophisticated operation.

The challenge to the new administration is how to better protect America’s systems. The first step must be to find ways to harden the SCADA systems substantially, meaning that commercially-produced systems bought today on the global market are a bad solution. SCADA systems need multilevel security, two step verification and compartmented access along with strong encryption and, even then, must be isolated from the Internet.  A hardened new design produced under U.S. government control that is distributed only to users approved by the government for enhanced protection will make it difficult if not impossible to successfully penetrate America’s vital systems.  If the Trump administration moves in this direction we will be a lot safer in future.

This article appeared originally in Asia Times.  The article has been expanded in this version.